On December 12, 2017, the Federal Trade Commission (FTC) held a workshop to examine consumer injury in the context of privacy and data security. The motivation for the workshop, according to Acting FTC Chairman Maureen Ohlhausen, was to help the FTC better understand consumer informational injury, weigh effectively the benefits of intervention against its inevitable costs, and to help guide the future application of the substantial injury prong of the FTC’s unfairness standard. A variety of panelists from a wide range of backgrounds, including business, academia, and consumer advocacy, addressed questions such as how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the trade-offs between providing information and potentially increasing their exposure to injuries.

Opening Remarks

Acting Chairman Ohlhausen opened the workshop with brief remarks describing its purpose and goals. She stated her belief that government does the most good with the fewest side effects when it deals with real—rather than hypothetical—injury and that it should weigh intervention versus the costs. She also stated that privacy benefits consumers because it protects them from the harms of information misuse, but if there are no harms, data use restrictions impose only costs. She stated that she believes a principled and consistent framework is needed for measuring injury such misuse could cause.

According to Acting Chairman Ohlhausen, a strong framework for assessing consumer injury will serve two purposes: (1) it will help the FTC think critically as it monitors new technologies and data uses for consumer injury; and (2) it will help establish criteria by which to judge whether privacy and data security enforcement is the proper tool, or whether other mechanisms are better equipped to address data use issues.

First Panel: Injuries 101

The first panel explored a broad array of negative outcomes that can result from unauthorized access or misuse of consumers’ personal information. Panelists were asked to discuss the harm posed by forms of identity theft other than the “traditional” form.

A number of the panelists emphasized that medical identity theft poses extraordinary harms to its victims. Specifically, they asserted that victims may be subject to fictitious entries entered into their medical file for which there is little recourse. They also stated that identity theft is increasingly occurring using spoofed biometric authentication, particularly in the healthcare context, and that domestic violence, stalking, and sexual violence are also connected to unauthorized access or misuse of personal information. One of the most common tactics of abusers identified by the panelists is to ruin a victim’s credit, which can lead to loss of employment and a variety of downstream consequences. Another negative outcome from the misuse of information cited by the panelists is doxing. The panelists stated that doxing—publicly releasing information that individuals wish to keep private—can lead to fairly innocuous repercussions, like someone ordering a pizza to a victim’s house, or to more serious harms, such as someone creating a fake emergency situation, known as swatting.

Panelists pointed out that as the volume of consumer data grows, the number of decisions that were previously made by humans is increasingly being made by algorithms, and understanding the consequences of the use of these algorithms will be increasingly difficult. For instance, panelists stated that differential pricing has given customers things like senior and student discounts for years without creating what might be considered financial injury, but such price differences can raise new concerns as consumer purchasing increasingly moves to the Internet, and pricing can shift based on a range of consumer attributes.

Second Panel: Potential Factors in Assessing Injury

The second panel focused on the responsibilities of commercial entities that collect and store data. The moderators presented a privacy hypothetical, then a security hypothetical. They asked the panelists to raise their hands during the hypothetical when they believed injury takes place. The conversation then focused on why panelists raised their hands when they did.

The panelists varied greatly in their views regarding when harm occurred during the course of the hypotheticals. Some panelists felt there was no harm because there was no realized, quantifiable economic harm. Others, however, argued that such a viewpoint creates a very reductionist definition of injury. Another focus of the panelists was on whether the hypothetical consumer understood how his information was being collected and used.

The panelists also debated whether risk of an injury is itself an injury. Data breaches can often lead to an increased risk of an injury, but no obviously traceable harm. Some panelists argued that where risk is created where it did not exist before, such as where an action or negligence results in medical malpractice or the loss of value of consumer goods, the risk of an injury is itself an injury.

One panelist noted that as courthouse doors are being closed to tort plaintiffs, there is an increased urgency for an agency like the FTC to step in. On the other hand, another panelist expressed the idea that when there is a new technology or a new form of data collection, government should be careful about over-enforcing the law and over-deterring investment and innovation. The panelist argued that not all injuries necessitate government intervention, and there may be countervailing benefits arising from those injuries.

Third Panel: Business and Consumer Perspectives

The third panel explored how businesses and consumers perceive and evaluate the benefits, costs, and risks of collecting and sharing information in light of potential injury. Panelists were first asked “what are the risks and benefits businesses consider when deciding whether and how to collect and share consumer information?”

A focus of the panel was the advertising industry’s self-regulatory model. The panel discussed how in crafting this regime, the industry thinks about the types of injuries that might be quantifiable and economically harm a person. Panelists also noted that, on the other hand, companies exhibit the normal human tendency to overestimate the benefits of data collection in comparison to the risks. Practices, however, vary from industry sector to industry sector. Some panelists expressed the idea that self-regulation has an advantage over regulation or legislation because there can be a faster and more flexible response as new technology is developed.

The panelists also discussed the importance of evaluating data breaches separately from inappropriate use of information by a company. According to the panelists, companies like Google, Apple, Facebook, and Amazon are leaders in securing data from breaches, and their practices should be followed by smaller entities. Recent breaches show, however, that not all companies are meeting consumer expectations for security. Some panelists noted that even when a breach occurs, it is unclear what, if anything, a consumer should do.

The panelists debated the effectiveness of education, transparency, and privacy policies in keeping data usage in line with consumer expectations. Some panelists noted that although many consumers claim privacy is important to them, they often take actions that do not align with this standpoint. Additionally, the panelists discussed how some consumers might appreciate being given the ability to choose between many privacy options, while others might be overwhelmed by the complexity. In either case, panelists noted that default settings are important, and that consumers may have no options at all where companies are collecting information with no direct connection to consumers.

Fourth Panel: Measuring Injury

The fourth and final panel examined different methods for, and challenges in, assessing and quantifying informational injury. Discussion topics included how to quantify injury, including risk of injury, for data breaches and privacy violations, and how consumers’ choices and reported preferences can be accounted for in such measurements.

The panelists primarily discussed the privacy paradox: the difference between consumers stated preferences regarding privacy versus their revealed preferences when forced to make a monetary decision. Panelists noted that, in many cases, consumers who state a strong preference for privacy-protective features nonetheless utilize products that lack such features. Panelists questioned whether consumers are willing to give information away because they do not understand the risks, or whether they do understand the risks, but nonetheless believe the benefits outweigh the risk. Additionally, some panelists took the view that some individuals may see no point in keeping their information private when they have been affected by multiple data breaches.

The panelists also compared the effectiveness of regulating privacy violations from an ex-ante or ex-post perspective. According to some panelists, the ex-post perspective currently in use is narrow-minded because a lot of harm may not happen yet, but there is risk that it will. These panelists argue that because traceability is such a problem, harm may occur, but there is no method by which to seek compensation.

A comparison was drawn to environmental law, and methods used to calculate harm, including conjoint analysis, and contingent valuation. Conjoint analysis involves asking survey responders to make choices, as if they were in the market making choices from among some set of hypothetical products that have different features or attributes. If they make enough choices, which attributes they value and which are unimportant becomes apparent. Contingent valuation can be roughly described as asking people how much compensation they would need if some bad event happened—for example how much should taxes be raised to avoid an oil spill—and extrapolating the amount of harm that has occurred.

Closing Remarks

In his closing remarks, Deputy Director for Consumer Protection in the Bureau of Economics Andrew Stivers highlighted one interesting aspect from each of the four panels.

From the first panel, Stivers pointed out that personal and social interactions can become amplified by commercialization, which in turn can create harm. To illustrate, he highlighted the FTC’s enforcement work in the area of revenge porn, where the commission has taken action against third parties who facilitate sensitive content being made public.

According to Stivers, the second panel highlighted the difficulty posed by vague terms such as “injury.” Additionally, he noted that if a consumer is willing to take an expensive action ex ante to mitigate the risk of a bad outcome, there is a potential risk of harm. Similarly, he stated that if a firm takes an action or has a practice that motivates a person to spend money to mitigate risk, there is harm.

From the third panel, Stivers highlighted the question of internal misuse versus external misappropriation. He stated that it is important to consider both whether a company uses data internally in a way that defies consumer expectations or is deceptive, and harms that arise because the company has collected data and not secured it from outside, potentially criminal actors.

Last, from the final panel, Stivers emphasized the need to know the kinds of injuries, actions, outcomes, and practices that are occurring, and the need to get a sense of what the market incentives are. He noted questions such as: Will the market take care of a problem? Are there incentives in the market for actors to mitigate the risks? Is there some sort of market failure that would call for a regulatory approach?

Where the FTC will go from here following the workshop is uncertain. Three new commissioners are expected to join the FTC this year, including a new chairman for the agency. As the workshop was the product of initiatives driven by Acting Chairman Ohlhausen, it remains to be seen how the new makeup of commissioners, and the new chairman, will continue to address this topic.